Ask HN: Microsoft SmartScreen is destroying our business

This!

I worked with a very well-known university that unknowingly had been compromised and was being flagged for malware by various protective services.

They, assuming it was just a false positive, put up a banner at the top of their webpages that said they were falsely being flagged and that visitors should ignore any warnings and essentially shut off any protections for their website.

Meanwhile their site was compromised and attempting to dump payloads onto visitors.

Have you ensured you are not compromised?

Should they then not just reply with "You're on the list because of the malware payload at <URL>"?

In this case, Microsoft "SmartScreen" is a big culprit. Just google "microsoft smartscreen false positive". Tons of support forums on this including even some product companies explaining to their users on how to unblock because of false positives. It happened to some of our customers as well and it is very difficult to explain why we cannot do much except them asking to whitelist somehow or turning off this stupid thing.

This is a good suggestion to check your system carefully.

I have seen and investigated cases where malware runs for everyone except in certain locations or even excluding only the site operators.

Look for weird scripts, includes, base64 decode and exec calls in your codebase/site.

Hijacking for tangentially related question:

> It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area.

Any good security firms you recommend for a small to midsize website?

I am currently in a 3 day Facebook ban because I posted an NIH (National Institute of Health, peak legitimacy right here) link which was meant to help someone understand something.

Unfortunately, the medical procedure it covered thumbnailed down (in the generated preview) to a fairly graphic photo of a woman's private parts being operated on... and that resulted in an uncontestable instaban. No humans can be reached about it, of course.

I hate automated flagging. Not only can I now not help that person on the platform in question, but I am now discouraged from even using that product further (probably not a bad thing in FB's case!)

The government desperately needs to step in and regulate these automated "destroy your business" practices.

See: spam blacklists

I can absolutely confirm that Edge is blocking sites based on spurious signals. One of mine is still getting a similar warning. We were given an explicit reason, namely that a form action was pointing to a different URL that looked suspicious. The URL was an API service that we also operate. I followed up with their support who said they couldn't remove the warning unless I sent a link to a page on that URL they could look at. I replied that it's an API server and does not have any pages which got no reply. Besides the fact that that's a terrible test of authenticity. We could easily apply a DNS TXT record or something but it wasn't offered as an option. MS are definitely in the wrong in my case and the only solution is to change our implementation and cross our fingers.

If MS have found a compromise they should share it. Making the allegation but not disclosing any reason is just slander.

> It cost me $502, it was FedExed to me in a USB, and I signed my program.

I’m surprised that it apparently had to be delivered physically. Did Comodo generate the private key for you?

Looks like protection racket.

Does it hurt Microsoft in any way to answer those tickets with "no, your site is participating in a phishing campaign"? And maybe tell the OP how, so that he can clean the malicious material?

And yes, that is a major defamation campaign led by Microsoft against the OP. And since MS even refuses to clarify their claim about the OP's wrongdoing, I imagine he would have an easy time in a court.

This. Also: magecart for TTPs.

OTOH it might not be. LinkedIn flagged a domain I own as malware and pointed fingers at Spamhaus. Spamhaus had it flagged, but removed the flag when I objected. Their management claimed sites which they flag did something to deserve it on LinkedIn, but never said what. (There is no malware. It's just cranky, especially to bots.) I doubt that Spamhaus' intent was that someone should publicly mark it as malware for other parties though.

Yea, the first thing I would do is rigorously determine whether the problem is actually a false positive (note: not a "false flag" which is something entirely different). Seems a bit early to jump straight to "it must be a competitor."

Yes, poster needs to talk with a lawyer. Ideally, a company would do this on Day One of the situation.

And keep all the data you can (from Web, marketing, ads, etc.), to try to figure out and show how much this is costing you. "And here's where the hockey stick snapped in half."

You sound like a lawyer.

That's undoubtedly true, but you'll also get a lot of assholes and script kiddies hoping to pwn your site for lulz, and they often don't care who gets hurt along the way. By posting you've just given them an easy legal defense. If it were me, I wouldn't do it. Not worth the risk.

I would however, probably be willing to DM people individually after doing a small amount of due diligence on their comment history. I guess it depends on sensitivity of the site and how desperate they are.

This is risky for things other than malware blacklisting. For example, the attacker can get a certificate for your domain, and then they can access any HTTPONLY and/or SECURE cookies set at the registrable domain level and impersonate your users just by getting someone to visit their page.

This is a good point, to properly "offline" your old hostnames and IPs. I've seen many of these cases where stale DNS started pointing to $BAD_THING

how exactly does this work? I had to request that one of my server's IP address reverse mapped to the domain name. In that circumstance i could see "abandoning" that ip, and maybe it gets reused by someone i can't send a nasty letter to, but other than that, how would some subdomain on my domain pointing to an AWS IP i haven't used in a decade remotely trace back to me or my domain?

Maybe i am too tired and am missing some feature in whois or something.

Thanks, I'll contact them!

We’re a web analytics product. We don’t show any user generated content. All pages (except login/signup/etc..) are behind an authwall.

About 10% of sites don't allow you to use a plus sign in your email address.

I started doing the same years ago and nothing came out of it. Most spam I got subscribed to, seemed to get my details some other way (or sanitised my email).

Go to the website in Microsoft Edge and see what happens. If there's a SmartScreen issue, you will be given a warning message.

If it's for clients, does it really matter whether you're spending $2 or $5 or $10 a month?

> Too many Microsoft shills here.

Can you quote one of the shills? I see people saying that OP should verify that it's a false flag. Are those the shills to whom you're referring?